How much money does your small business spend on information security per year? Not sure? Afraid to say? Relax, we're not here to judge. The reality is, every business runs on a budget. Smaller businesses typically have less resources than larger corporations. Less resources mean less capital to devote towards IT security. For a company of fewer than ten staff, ad-ons to the yearly budget can be painful. Too many see security as a cost centre: taking away from profits more than giving back.
Make no mistake however, your business must do something. Small businesses may think they're not at risk, but the reality is they're big targets for scammers. According to TechJury.net, 43% of all attacks are aimed at small businesses. Data protection measures aren’t cost centres, they're an investment. What you put in now might not show profit right away, but becomes invaluable down the road. The money your business spends on improving security now will pail against the time, reparations and fines after an incident.
Still, you don't want to bankrupt your company when investing in safeguards either. So where to start? How do you secure your information assets without breaking the bank? Thankfully, you have options: defensive strategies that cost little and can scale when as your organization grows. If your business needs to start with security, here are some of the best ways to get the most bang for you buck.
1. Pick your security and privacy leader(s)
This is an easy one, because it doesn't rely on spending money for new purchases. Rather, it's a critical starter point for organizational framework: who will lead your security efforts? Who will be writing practices down, who will be accountable for your security program. Sometimes it will be the person with the most technical aptitude, but not always. It may be someone who’s great with regulatory requirements, or someone who’s perfect at keeping order, like a finance or operations manager. It can even be the CEO, so long as they have time to devote to the job. Remember, security lead is more than a title: it will take up time as an active, regular part of your routine.
Be sure to think ‘management’ more than 'developer' for this role. This isn't a position that can hide from the team and patch systems on the fly. Having a security lead means someone is taking the reigns of the program. If your IT team is internal, they'll oversee project management and goals. If you outsource, they’ll need to communicate with contractors and sign off on work. They'll need to report to executive management, getting everyone on board.
If you feel the role is more than one person can handle, consider splitting the job. This may be practical given in-house expertise or industry requirements. You may have one person versed in regulator affairs, and partner them with an ace at logistics. An IT leader and a human resource enthusiast: whomever best ensures the job gets done. A lead for technical security, and one for administration controls. If you split the role however, be sure there’s a regular channel for communications and decision making. Make certain when it comes to security decisions, both sides are in the know and coming to agreement.
2. Invest in people and culture
For security, having an active, security-aware staff is paramount. That the more aware individuals are of security threats, the lower the risk of their actions. Training can reduce threats up to 70%: nothing to sneeze at. With 91% of attacks launching through a phishing email, training needs to be a priority.
When it comes to your budget, solid training is worth the investment, but there are ways to lower the price tag. Start by reaching out to local companies that offer training and ask if they know of any options. Some governments offer funding for staff professional development if you meet their criteria. Does the trainer ever partner with other programs? Can you join forces with another company in your industry to spit or share the costs? Is there someone willing to train others if you cover the cost of a course? Check with local business associations and ask if they ever put on security training for members. Even if don’t offer anything yet, most organizations keep an eye on items of interest to members. If the community shows a high interest in training, they'll consider it in the future.
Along with formal training, there are inexpensive options to augment programs, highlight special topics and keep up staff awareness.
These tools include:
- Online webinars, including Brighttalk and LinkedIn Learning
- Books and ebooks that can be purchased for staff reading
- Blog posts and regular articles on security news
- Learning tools and courses include Cybrary, Sans Cyber Aces, (intended more for intermediate and advanced practitioners)
- The Daily Security Tip, which sends advice once a day via email
3. Plan to patch
How often do you check for security updates and install? As soon as they come in? Once a week? Once a month? Whenever you see a unicorn running over a rainbow? If the latter, time to do better. Patching keeps your system safe against known vulnerabilities. They are updates sent by developers to fix known problems and prevent future attacks. As a safeguard, patching is also dirt cheap: unless you’re buying a new version of the software, patches are free.
Talk with your newly-selected security lead. Take out a calendar and ask: when will the business regularly to check for updates and install? Are there days where business tends to move slowly, and downtime won't have significant impacts? Are there days where taking time away from other tasks is unacceptable? How many devices will need an update? Should you create a checklist? Choose your dates for running updates and completing installations. By making a plan, you're less likely to forget updates during hectic times.
4. Limit access to sensitive information
Although collaboration can boaster productivity, not all information should be freely available. Decide what information is for confidential eyes only, and make it need to know. Public marketing plan to customers on the company’s tenth anniversary? Get everyone talking. The passwords to your staff pay centre? Zip a lip. The less individuals who can access sensitive data, the less opportunity for abuse.
Once you know what information is classified, ask: can you scale down with any tools? Many platforms, for example, call for paid licences per user. Instead of setting licences on potential need, take a critical look at roles and responsibilities. Keep user accounts to a minimum until there is a solid case information access is necessary for the role. If an individual can do their job without a user account, you’re saving fees and eliminating one more back door. Selecting what data is sensitive and who needs access will also aide in deciding when to encrypt, as seen below.
5. Encrypt what you can
Is your sensitive data encrypted? If not, time to start: encryption is a must for every system. For starters, Google now includes encryption in its search engine ranking, so confirm your site has a security certificate.
Encryption protects information by encoding it so that only authorized parties can read it or make changes. It is particularly viable for sensitive data. In the event of a breach, so long as the encryption key remains unbroken, data remains confidential. On the downside, encryption can add to processing time, and may not work with all applications. There's also a risk if you loose the key or password: no key, no way to recover the data. For small businesses with less sophisticated security teams, start by making a plan. What data will benefit the most from encryption? Will you encrypt specific documents, folders, or drives?
The good news is, once you decide, there are lots of inexpensive options available. Pre-installed on Windows 10 are Encrypting File System and BitLocker. BitLocker is also preinstalled on older systems, while Mac Os users can take advantage of FileVault. Inexpensive third party options include Secure IT, Concealer or use-specific platforms like Protonmail.
6. Have a budget
By now, you should be getting ideas on inexpensive ways to improve your security program. Some of these safeguards are likely already in place; others you can start planning. Before you get started however, there's one more must-have for saving money in security: set up a budget.
Security isn't a one-time operation: it will need to evolve with your industry and business growth. It requires establishing priorities: where are the most likely risks to your business? Who are your potential threat actors, what will they want and how might they get in? As Hugo Reed states in 5 Important Reasons Why Every Business Needs A Security Budget, "the beauty of a security budget, or any budget for that matter, is that it allows you to set clearly defined goals, deadlines and even cater to potential outcomes. "
By making a budget, you're evaluating needs, risks, and resources available. If you have a budget, you can decide when to involve a robust solution, or when problems can be solved with inexpensive tools. Having security as a regular item in budget is beneficial for business growth. It demonstrates an organized approach to investors if you need future funding.
A budget will also help as your company grows. The more your business expands, the more robust customers will expect your security safeguards. This is particularly true if your industry focuses on sensitive data types, such as health, finance or behavioural data. Have potential costs of protective measures part of the discussion when considering changes. As your business expands, think about not only getting bigger, but growing stronger to meet long-term goals.
Photo by Josh Appel on Unsplash